How To Install Apache Tomcat 9 on CentOS 8 / RHEL 8

0

Apache Tomcat is an open-source Java HTTP web server developed by the Apache Software Foundation (ASF). Tomcat helps to deploy the Java Servlet and the JavaServer Pages (JSP) and serves them like an HTTP web server.

In this post, we will see how to install Apache Tomcat 9 on CentOS 8 / RHEL 8.

Prerequisites

Install Java

Tomcat requires Java 8 or above to be installed on your machine. You can install any stable version of Oracle JDK or OpenJDK.

READ: How To Install Oracle JAVA on CentOS 8 / RHEL 8

For this post, I am using OpenJDK.

yum install -y java wget tar

Verify the Java installation by issuing the following command.

java -version

Output:

openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)

Create Tomcat Service Account

As a best practice, Tomcat service should not be run as the root user. So, create a regular Linux user for running the Tomcat service.

useradd -d /opt/tomcat -s /bin/nologin tomcat

Install Apache Tomcat

Download Tomcat

Download Apache Tomcat from the official website and save it in your working directory.

At the time of writing this article, Tomcat v9.0.22 is available for the installation.

Browser

Download Apache Tomcat 9.0

Terminal

wget https://www-us.apache.org/dist/tomcat/tomcat-9/v9.0.26/bin/apache-tomcat-9.0.26.tar.gz

Setup Tomcat

Extract the Tomcat tarball and move it to your desired (/opt/tomcat) directory.

tar -zxvf apache-tomcat-*.tar.gz

mv apache-tomcat-*/* /opt/tomcat/

Change the ownership of the directory to the tomcat user.

chown -R tomcat:tomcat /opt/tomcat/

Create Systemd file

We can configure systemd to start the Tomcat service for you, and it also helps us to autostart Apache Tomcat service on the system start.

Tomcat’s systemd service file requires a Java installation location. So, list the available Java versions on your system using the following command.

alternatives --list  | grep ^java

Output:

java                    auto    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el8_0.x86_64/jre/bin/java

At this time, I only have Java 1.8 on my system.

Create a tomcat systemd service file.

vi /etc/systemd/system/tomcat.service

Add below information to the systemd service file. Change values according to your environment.

[Unit]
Description=Apache Tomcat Web Application Container
Wants=network.target
After=network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el8_0.x86_64/jre

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1G -Djava.net.preferIPv4Stack=true'
Environment='JAVA_OPTS=-Djava.awt.headless=true'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
SuccessExitStatus=143

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

SELinux

Consider disabling SELinux if it blocks starting the tomcat.

setenforce 0

sed -i 's/ELINUX=enforcing/ELINUX=disabled/g' /etc/selinux/config

Start Apache Tomcat

Reload systemd daemon.

systemctl daemon-reload

To start the Tomcat service; run:

systemctl start tomcat

Check the status of Tomcat, run:

systemctl status tomcat
Tomcat Service Status
Tomcat Service Status

Enable Tomcat service to autostart on system start.

systemctl enable tomcat

By default, Tomcat runs on port 8080. Use netstat command to check if the service is listening on port 8080 or not.

netstat -antup | grep 8080

Output:

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      2904/java

Firewall

Allow port 8080 in the firewall so that we can access Apache Tomcat from external networks.

firewall-cmd --permanent --add-port=8080/tcp

firewall-cmd --reload

Configure Apache Tomcat Web UI

Apache Tomcat can be managed through the Web Manager.

With Web Manager, you can

  • Deploy new applications
  • Deploy new applications on the specified context
  • List the active or inactive applications
  • Start and stop the web applications

Also, Tomcat has the Host Manager to manage its virtual hosts.

User Management

Both The Web and Host Manager is password-protected, requires username and password to access.

Only the user with the “manager-gui” and “admin-gui” role is allowed to access the Web and Host manager respectively.

These users and roles are defined in tomcat-users.xml.

vi /opt/tomcat/conf/tomcat-users.xml

Place the following two lines just above the last line.

<role rolename="admin-gui,manager-gui"/>
<user username="admin" password="tomcat" roles="manager-gui,admin-gui"/>

Allow Access

For security reason, both Web and Host Manager is accessible only from localhost, i.e., from the server itself.

To enable access for Web and Host manager from remote systems, you need to add your network to the allow list.

To do that, follow the steps.

Web Manager

vi /opt/tomcat/webapps/manager/META-INF/context.xml

Update the below line with source IP from which you’re accessing the Web and Host Manager.

Allow everyone

.* will allow everyone to have access to Web manager.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|.*" />
Allow Org network

You can also allow only your organization network. For example: To allow the 192.168.1.0/24 network only, you can use the below values.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.1.*" />

Host Manager

vi /opt/tomcat/webapps/host-manager/META-INF/context.xml

Update the below line with source IP from which you’re accessing the Host Manager.

Allow everyone

.* will allow everyone to have access to the Host manager.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|.*" />
Allow Org network

You can also allow only your organization network. For example: To allow the 192.168.1.0/24 network only, you can use the below values.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.1.*" />

Restart the Tomcat service.

systemctl restart tomcat

Access Tomcat

Open the web browser and point it to:

http://ip.add.re.ss:8080

You will now get the Tomcat’s default page.

Apache Tomcat Default Page
Apache Tomcat Default Page

Manager App (manager-gui): – Login Required. Username: admin, Password: tomcat.

Login Tomcat Application Manager
Login Tomcat Application Manager

Here, you can deploy an application, deploy an application in a specified context, start, stop, reload, and un-deploy an application.

Tomcat Web Application Manager
Tomcat Web Application Manager

Also, you can see the Tomcat server status.

Tomcat Server Status
Tomcat Server Status

Host Manager (admin-gui): – Login Required. Username: admin, Password: tomcat.

Login Tomcat Host Manager
Login Tomcat Host Manager

Here, you can manage Tomcat’s virtual hosts.

Tomcat Virtual Host Manager
Tomcat Virtual Host Manager

Conclusion

That’s All. I hope you have learned how to install Tomcat 9 on CentOS 8 / RHEL 8. You are now ready for your first web application. As a security recommendation, consider implementing SSL/TLS for Tomcat

You might also like